Revocation Systems with Very Small Private Keys

(1)

Revocation Systems with Very Small Private Keys

Allison Lewko

University of Texas at Austin [email protected]

Amit Sahai UCLA

University of Texas at Austin [email protected]

Abstract

In this work, we design a method for creating public key broadcast encryption systems. Our main technical innovation is based on a new “two equation” technique for revoking users. This technique results in two key contributions:

First, our new scheme has ciphertext size overheadO(r), whereris the number of revoked users, and the size of public and private keys is only aconstant number of group elements from an elliptic-curve group of prime order. In addition, the public key allows us to encrypt to an unbounded number of users. Our system is the first to achieve such parameters. We give two versions of our scheme: a simpler version which we prove to be selectively secure in the standard model under a new, but non-interactive assumption, and another version that employs the new dual system encryption technique of Waters to obtain adaptive security under the d-BDH and decisional Linear assumptions.

Second, we show that our techniques can be used to realize Attribute-Based Encryption (ABE) systems with non-monotonic access formulas, where our key storage is significantly more efficient than previous solutions. This result is also proven selectively secure in the standard model under our new non-interactive assumption.

(2)

1 Introduction

In a broadcast encryption system [20], a broadcaster encrypts a message such that a particular set S of devices can decrypt the message sent over a broadcast channel. Broadcast systems have a wide range of applications including file systems, group communication, DVD content distribution, and satellite subscription services. In many of these applications, the notion of revocation is important. For example, if a DVD-player’s key material is leaked on the Internet, one might want to revoke it from decrypting future disks. In another example, consider a group of nodes communicating sensitive control and sensor information over a wireless network; if any of these nodes becomes compromised, we’d like to revoke them from all future broadcasts.

In this work, we design new broadcast encryption schemes, and we focus on two important contributions.

Revocation Systems with Small Key Sizes. We create public key revocation encryption systems with small cryptographic private and public keys. Our systems have two important features relating respectively to public and private key size.

First, public keys in our two systems are short (just 5 group elements and 12 group elements respectively) and enable a user to create a ciphertext that revokes an unbounded number of users. This is in contrast to other systems [10, 34, 18] where the public parameters bound the number of users in the system and must be updated to allow more users.

Second, the cryptographic key material that must be stored securely on the receiving devices is small. Keeping the size of private key storage as low as possible is important as cryptographic keys will often be stored in tamper-resistant memory, which is more costly. This can be especially critical in small devices such as sensor nodes, where maintaining low device cost is particularly crucial. Device keys in our systems are only a small constant number of group elements (in fact, just 3 group elements and 5 group elements respectively) from an elliptic-curve group of prime order. Furthermore, our schemes are public-key stateless broadcast encryption schemes1, and we work with stateless receivers.

We achieve this small device key size without compromising on other critical parameters such as ciphertext length – our ciphertexts will consist of justO(r) group elements, where r is the number of revoked users. This is the same behavior as the previously best-known schemes for revocation. We also do not compromise on security: we obtain adaptive security in the standard model under the well-established d-BDH and decisional Linear assumptions.

Attribute-Based Encryption with Non-Monotonic Formulas. Our second key

contri-bution is that we show how our techniques can be applied to achieving efficient Attribute-Based Encryption (ABE) [37] schemes with non-monotonic access formulas. Ostrovsky, Sahai, and Waters [35] showed a connection between revocation schemes and achieving non-monotonic ac-cess formulas in ABE; to negate an attribute in an acac-cess formula one applies a revocation scheme using the attribute as an identity to be revoked. Ostrovsky, Sahai, and Waters give a particular instance by adapting the revocation scheme of Naor and Pinkas [34] to the ABE scheme of Goyal et. al [25]. The primary drawback of their scheme is that the private key size of their scheme blows up by a multiplicative factor of logn, wheren is the maximum number of attributes. More precisely, once the DeMorgan’s law transformation is made, each negated attribute in the private key will haveO(logn) group elements. By adapting our new revocation techniques to the Goyal et. al ABE scheme, we get that each negated attribute will only take

1_{And in fact, our schemes are identity-based: each device’s private key can be based on the device’s natural}

(3)

two group elements. In practice, for many applications the private key storage will decrease by an order of magnitude.

Our Techniques. The primary challenge in constructing broadcast encryption schemes is to achieve full collusion resilience – to make sure that if all the revoked users combine their key material, they still cannot decrypt ciphertexts.

In order to understand our techniques, it is useful to review the Naor-Pinkas [34] revocation scheme. Naor and Pinkas additionally show how to combine their scheme with traitor-tracing, but we will only be concerned with revocation. In their system, in order to revoke r users2 a degree r polynomial q(x) is chosen and O(r) group elements are published allowing anyone to computegq(x) for generatorgin groupGof orderp. A private key for usericonsists ofq(i). To encrypt, a user selects a revoked set of users S and a secret exponents∈ _Z_p. The ciphertext consists of gs along with gsq(j) for each revoked user j in the set S. If an attacker consists of just users from the setS, he will be unable to produce any new points of the polynomials·q(x). From a high level view, this system revokes by giving revoked usersredundant information. The system provides collusion resistance by defining a “global” polynomial across the whole system. Unfortunately, this structure inherently locks the system to a predetermined maximum number of revoked users and a long public key.

In order to avoid these limitations, we propose a new methodology for building revocation systems. Like the Naor-Pinkas system, we use the idea of revocation by redundant equations. However, instead of using a system that defines a global polynomial, we let the encryption algo-rithm define several “local” revocation equations. Our techniques have two major components: First, we use a “two equation” method for decryption. A ciphertext will be encrypted such that a certain set S = {ID1, . . . ,IDr} will be revoked from decrypting it. (For our second system, we think of identities IDi as being indices between 1 and n, where n is the number of users in the system.) Since the ciphertext consists of O(r) group elements, there will be a ciphertext component for each IDi. Intuitively, when decrypting, a user ID will apply his secret key to each component. If ID6= IDi, he will get two independent equations and be able to extract the ith decryption share. However, if ID = IDi (i.e. he is revoked), then he will only get two dependent equations of a two variable formula and thus be unable to extract the decryption share. Alternatively, we can view each ciphertext component as locally defining a different degree one polynomial. For component i, a user ID will get two points on a fresh degree one polynomial qi(x) iff ID6= IDi (and otherwise the user will essentially only get one point on the polynomial, which is not enough to solve). We can view this as a local revocation of each user to a component of the ciphertext.

One large challenge of our “local” revocation approach is that we need to make sure that multiple users cannot collude to decrypt the message. For example, if there is a ciphertext that revokesS ={ID1,ID2}, these users might try to decrypt by letting user ID2 get the first share

and user ID1 obtain the second share. To prevent this attack, our key shares are randomized

or “personalized” to each user to prevent combination of decryption shares. To achieve this, we devise a new technique for achieving collusion resilience using novel cancelation techniques based on the power of a bilinear map.

Our first (simpler) system clearly demonstrates our techniques and is shown to be selec-tively secure under a new non-interactive assumption that we call the decisional q-Multi Ex-ponent Bilinear Diffie-Hellman (q-MEBDH) assumption. We formally define this assumption in Appendix A.2. We show the assumption to hold in the generic bilinear group model in Ap-pendix B.13. We prove security in the standard static model, showing that a ciphertext that

2_{To revoke less than}_r_{users, they simply revoke some “dummy” users.} 3

(4)

revokes up tor users is secure if the decisional r-MEBDH assumption holds.

Our second system combines the techniques of our first system with the recent dual system encryption technique of Waters [45]. This technique was used to give a fully secure IBE system under the d-BDH and decisional Linear Assumptions which we will adapt to form our revocation system. We prove our system to be adaptively secure in the standard model under the well-established d-BDH and decisional Linear assumptions. The clear advantage of this system over our first system is its adaptive security and reliance on simpler, more standard assumptions. Its only (relative) disadvantage is that the constant public and private key sizes are slightly higher than in our first system.

In a dual system, keys and ciphertext can take on two forms: they can either be normal (as used in the real system) or semi-functional. Security for dual systems is proved using a sequence of indistinguishable games, where the ciphertext and keys are changed to be semi-functional one by one. In the intermediate games where the keys switch to semi-functional, the simulator is prepared to create a semi-functional key for any identity and a challenge ciphertext for any allowed subset of revoked identities. This may seem problematic, since the simulator might try to test semi-functionality of the key in question for itself by creating a semi-functional challenge ciphertext where that user is not revoked. We will avoid this issue by making sure the simulator can only form the semi-functional ciphertext properly when the key in question is for a revoked user. This is similar to the technique used in the Broadcast Encryption scheme in [45] which was proven to be adaptively secure, but this system had key sizes which were linear in the number of users while our system achieves constant key sizes.

We believe that our technique will be of use in other cryptographic applications, as well. Recently, Waters [45] applied the revocation techniques of a prior version of this paper to construct new fully secure HIBE schemes based on simple assumptions, and fully secure IBE schemes with very short public parameters.

1.1 Related Work

Fiat and Naor [20] first introduced the problem of broadcast encryption. In their system they proposed a scheme that is secure against a collusion of t users, where the ciphertext size was

O(tlog2tlogn). This system and other following work [41, 42, 43, 30, 21, 22], used a combina-torial approach. For this type of approach, there is an inherent tradeoff between the efficiency of the system and the number,t, of colluders that the system is resistant to. An attacker in the system that compromises more thant users can compromise the security of the scheme.

For systems without a bound on the number of revoked users at setup, there have been two general classes of revocation broadcast schemes. The first stateless tree-based revocation schemes were proposed by Naor, Naor and Lopspeich [33] where they introduced the “subset cover” framework. In their framework users were assigned to leaves in a tree and belonged to different subsets. An encryptor encrypts to the minimum number of subsets that covers all the non-revoked users and none of the revoked ones. The primary challenge is to structure the subsets so that they are expressive enough to allow for small ciphertext overhead, yet don’t impose large private key overhead on the user. The NNL paper proposed two systems with ciphertext sizes ofO(rlgn) andO(2r) and private key sizes ofO(lgn) andO(lg2n) respectively. These methods were subsequently improved upon in future works by Halevy and Shamir [27] and by Goodrich, Sun, and Tamassia [24], where the GST system gives O(r) size ciphertexts andO(lgn) size private keys. Dodis and Fazio [19] show how to make the NNL and Halevy and Shamir systems public key by employing hierarchical identity-based encryption methods. It is

(5)

unknown how to realize the more efficient GST scheme in the public key setting.

The second class of methods is based on polynomial interpolation in the exponents of group elements and was given by Kurosawa and Desmedt [31] and Naor and Pinkas [34]. In these systems the setup algorithm picks a polynomial of degree d, where d is the maximum number of users that can be revoked. Both the public key and ciphertexts are of sized. Yoo et. al. [47] observe that lg(n) parallel systems can be used to handlen users with O(r) size private keys,

O(n) size public keys and O(r) size ciphertexts.

We note that there are a class ofstateful encryption schemes known as logical-tree-hierarchy schemes independently discovered by Wallner et al. [44] and Wong [46], which are improved in further work [13, 16, 39]. The drawback of stateful schemes is that if a receiver misses an update it won’t be able to decrypt future messages (or this must be corrected somehow). Even so, our stateless solution actually provides a more efficient way to revoke users in the stateful setting than previous schemes.

We remark that two equation techniques are somewhat reminiscent of those used for knowl-edge extraction in discrete log proof of knowlknowl-edge settings [38]. In addition, different types of two equation techniques have been applied in ecash applications (see e.g., [12] and the references therein).

We also note that [10] proposed the first non-trivial fully collusion resistant broadcast en-cryption scheme; broadcasts to a set of uncompromised users remain secure no matter how many other keys the adversary obtained. (In contrast, our approach and those referenced above would lead to very long ciphertexts if the number of revoked users were very large.) Their scheme is proven selectively secure and allows for broadcasts to an arbitrary set of users where the ciphertexts and private key material are both a constant number of group elements, however, the public key material is linear in the number of users in the system and, moreover, the public key must be accessible by any decryptor in the system. This makes their solution unusable for small devices that cannot store the public key. In comparison, our solution is appropriate for applications, like group encryption, where we expect relatively few devices will be compromised and revoked from the encryption and where we need very small storage.

Delerabl´ee, Paillier and Pointcheval [18] use a type of inversion technique to achieve a system with small private keys, but public parameters still require a linear number of group elements in the number of users.4 Unlike our system, the published public parameters will establish an upper bound on the number of users that may be encrypted to (without “appending” to the public key), although private keys need not be modified. In addition, they obtain security from a non-standard assumption with a number of terms that grows polynomially.

Gentry and Waters [23] recently obtained an adaptively secure broadcast encryption system, but it has large keys (growing linearly withn, the number of users in the system) and is proven secure from a non-standard assumption which depends on n. To obtain adaptive security, they use a “two-key” transformation from semi-statically secure systems to adaptively secure systems. (Semi-static security is a sort of middle-ground between static and adaptive security.) This technique does not seem to extend to revocation systems.

Attribute-Based Encryption was introduced by Sahai and Waters [37]; subsequent works [25, 6, 17, 35, 26] have proposed ABE systems with different properties. Different authors [40, 32, 3, 11, 1, 4] have considered similar problems without considering collusion resistance.

4_{The authors additionally describe a secret key version of the scheme where the broadcaster is the same as}

(6)

Key Sizes. We stress that, as summarized above, all previous public key revocation schemes required5 _{either (1) larger private key size by at least a factor of log}_n_{, where} _n _{is the number}

of users, or (2) much larger public parameter size, by a factor of n.

1.2 Organization

The rest of the paper is organized as follows. In Section 2 we provide the relevant definitions for revocation systems. We then give the construction of our simple revocation system in Section 3 and our second system in Section 4. We prove security of our system in Section 5. Finally, we show how to realize a non-monotonic Attribute-Based Encryption system with small private key sizes in Section 6.

2 Background

We begin by providing a security definition for a revocation system, in the identity-based frame-work. We use definitions that are similar, for example, to the definitions for broadcast encryption used by Boneh, Gentry, and Waters [10]; however we adapt our definition to the Identity-Based setting. Later, we state our complexity assumptions.

2.1 Revocation Systems

A revocation encryption system is made up of three randomized algorithms: For simplicity of notation, we assume an implicit security parameter ofλ.

Setup. An authority will run the setup algorithm. The algorithm outputs a public key PK and master secret key MSK.

KeyGen(MSK,ID). The key generation algorithm takes in the master secret key MSK and an identity, ID. It generates a private key SKID for the identity.

Encrypt(S,PK, M). The encryption algorithm takes as input a revocation setS of identities along with the public key and a messageM to encrypt. It outputs a ciphertext CT such that any user with a key for an identity ID∈/ S can decrypt.

Decrypt(S,CT,ID, DID) The decryption algorithm takes as input a ciphertext CT that was generated for the revocation set S, as well as an identity ID and a private key for it. If ID∈/S the algorithm will be able to decrypt and recover the messageM encrypted in the ciphertext.

We now define (chosen plaintext) security of a revocation encryption system. Security is defined using the following “Revocation Game” between an attack algorithmAand a challenger.

Setup. The challenger runsSetupto obtain a public key PK and master secret key MSK. It gives Athe public key PK.

Key Query Phase A adaptively issues private key queries for identitiesID. The chal-lenger givesA the corresponding decryption keys dID.

5_{We also stress that this is an “apples to apples” comparison, since in all these} _public-key _{schemes, the}

(7)

Challenge. The attacker gives the challenger two messagesM0, M1and a setSof revoked

identities. S must include all identities that were queried. Next, the challenger picks a random b∈ {0,1}. The challenger runs algorithm Encrypt to obtain CT ←R

Encrypt(S, P K, Mb). It then gives CT to algorithm A.

Guess. Algorithm Aoutputs its guess b0 ∈ {0,1} forband wins the game ifb=b0.

Definition 1. We say that a revocation system is (chosen-plaintext) secure if, for all revocations sets S of size polynomial in the security parameter, no polynomial-time adversary can win the “Revocation Game” (defined above) with non-negligible advantage over 1/2.

Our definition reflects the scenario where all users in the revoked set S get together and collude (this is because the adversary can get all of the private keys for the revoked set). We note that selective (also called static) security is defined similarly, except that the revoked set

S must be declared by the adversary before it sees the public parameters.

Chosen-Ciphertext Security. We will also consider chosen-ciphertext (CCA) security, where the adversary can also issue decryption queries for ciphertexts that it constructs (as long as the challenge ciphertexts are not equal to the challenge ciphertext). The game is identical to the game above, except decryption queries (for arbitrary revocation sets) are allowed. Our main construction will be chosen-plaintext secure; however it can be made CCA-secure using the techniques of Cannetti, Halevi, and Katz [15].

3 Our Simple Revocation System

We now present our simpler revocation system. Our system has the following features: both public and private keys are of size independent of the number of users (i.e. only a constant number of group elements6); the ciphertext only contains O(r) group elements, where r is the number of revoked users.

Intuition Our construction uses a novel application of a secret sharing in the exponent. Suppose an encryption algorithm needs to create an encryption with a revocation set S = ID1, . . . ,IDr of r identities. The algorithm will create an exponent s∈ Zp and split it into r random sharess1, . . . , sr such thatPsi=s. It will then create a ciphertext such that any user key with ID = IDi will not be able to incorporate the i−th share and thus not decrypt the message.

Our approach presents us with two challenges. First, we need to make sure that a user with revoked identity ID = IDi cannot do anything useful with share i. Second, we need to worry about collusion attacks between multiple revoked users. Suppose a user with ID = IDi and a user with ID = IDj collude to attack a ciphertext. The attack we need to worry about is where user j processes ciphertext sharei, while user iprocesses sharej, and then they combine their results.

The first problem is addressed by the method of decryption. For each share, the ciphertext will have two components. A user with ID6= IDi can use these two components to obtain two linearly independent equations (in the exponent) involving the sharesi ( and another variable), which he will use to solve for the share si. However, if ID = IDi he will get two linearly dependent equations and not be able to solve the system. We remark that these techniques are somewhat reminiscent of those used for knowledge extraction in discrete log proof of knowledge

6

(8)

settings [38]. In addition, different types of two equation techniques have been applied in ecash applications (see e.g., [12] and the references therein).

To address the second challenge, we randomize each user’s private key by an exponent t

such that in decryption each user recovers sharest·si in the exponent. Thus, we disallow useful collusions in a similar manner to some Identity-Based [14, 8] and Attribute-Based [37, 25, 6] encryption systems. Our construction follows.

3.1 Simple Construction

In the description of our construction we will use a bilinear group G of prime order p. We will assume that identities are taken from the set Zp; in practice, of course, we can perform a collision resistant hash from identity strings to Zp. We now give our construction as a set of four algorithms.

Setup The setup algorithm chooses a groupGof prime orderp. It then picks random gener-atorsg, h∈_Gand picks random exponents α, b∈_Zp. The public key is published as:

PK = (g, gb, gb2, hb, e(g, g)α).

The authority keepsα, b as secrets.

Key Gen(MSK,ID) The key generation algorithm first chooses a randomt∈_Z_p and pub-lishes the private key as:

D0=gαgb 2_t

, D1 = (gb·IDh)t, D2=g−t.

Encrypt(PK, M, S) The encryption algorithm first picks a random s ∈ Zp. Then it lets

r =|S|and chooses randoms1, . . . , sr such that s=s1+. . .+sr. We let IDi denote thei-th identity in S. It then creates the ciphertext CT as:

C0 =e(g, g)αsM, C0 =gs

together with, for eachi= 1,2, . . . , r:

Ci,1=gb·si, Ci,2 =

gb2·IDi_hbsi

Decrypt(S,CT,ID, DID) If there exists ID0 ∈ S such that ID = ID0 then the algorithm aborts; otherwise, the decryption algorithm computes:

e(C0, D0)

e

D1,Qri=1C

1/(ID−IDi)

i,1

·e

D2,Qri=1C

1/(ID−IDi)

i,2

which gives use(g, g)αs; this can immediately be used to recover the messageM fromC0. Note that this computation is only defined if ∀i ID6= IDi.

(9)

e(C0, D0)/ e D1,

r Y

i=1

C1/(ID−IDi)

i,1

!

·e D2,

r Y

i=1

C1/(ID−IDi)

i,2

!!

= e(C0, D0)/

r Y

i=1

(e(D1, Ci,1)·e(D2, Ci,2))ID−IDi

!

= e(gs, gαgb2t)/

r Y

i=1

e(gbIDh)t, gbsi

·eg−t,(gb2IDi_hb₎si

ID−IDi

!

= e(g, g)sαe(g, g)sb2t)/

r Y

i=1

e(g, g)sib2t₎

!

= e(g, g)sα

We obtain the following theorem. (The proof appears in Appendix B.)

Theorem 2. Suppose the decisionalq-MEBDH assumption holds. Then no poly-time adversary can selectively break our system with a ciphertext encrypted tor∗ ≤q revoked users.

4 Our Second Revocation System

This system retains the desirable properties of our simpler system: public and private keys still require only a constant number of group elements, and the ciphertext requiresO(r) group elements, whereris the number of revoked users. The primary advantage of this system is that we obtain adaptive security from simple assumptions, namely the decisional Linear assumption and d−BDH.

Intuition We combine the techniques of our simple construction with the dual system en-cryption technique of Waters [45]. Essentially, we append a version of our simple construction onto the core IBE construction of Waters.

4.1 Construction

We will again use a bilinear group G of order p and assume that identities are in the set

{1, . . . , n}, wherenis the number of users in the system.

Setup(n) The setup algorithm chooses a bilinear group G of prime orderp. It then chooses random generators g, v, v1, v2, w, h ∈ G and random exponents a1, a2, b, α ∈ Zp. It lets τ1 =

vva1

1 , τ2 =vv

a2

2 . The public key is published as:

P K = (n, gb, ga1_{, g}a2_{, g}ba1_{, g}ba2_{, τ}

1, τ2, τ1b, τ2b, w, h, e(g, g)αa1b).

The master secret key is:

M SK= (g, gα, gαa1_{, v, v}

1, v2, P K).

(10)

KeyGen(M SK, ID) The key generation algorithm chooses random exponentsd1, d2, z1, z2 ∈

Zp and setsd=d1+d2. The private keyDID is:

D1=gαa1vd, D2=g−αvd1gz1, D3= (gb)−z1, D4 =v2dgz2, D5 = (gb)−z2, D6 =gd2b,

D7=gd1, K = (wIDh)d1.

Encrypt(P K, M, S) The encryption algorithm chooses random exponents s1, s2, t1, . . . , tr and sets s = s1 +s2, t = t1 +· · ·+tr (where r = |S|, the number of revoked users). We let IDi denote the i-th identity in S. The ciphertextCT is constructed as:

C0=M

e(g, g)αa1bs2_{, C}

1 = (gb)s, C2= (gba1)s1, C3= (ga1)s1,

C4 = (gba2)s2, C5 = (ga2)s2, C6=τ₁s1τ₂s2, C7 = (τ1b)s1(τ2b)s2w

−t_,

along with, for eachi= 1,2, . . . , r:

Ci,1 =gti, Ci,2 = (wIDih)ti.

Decrypt(S, CT, ID, DID) IfID=IDi for some IDi∈S, then the algorithm aborts. Other-wise, the decryption algorithm begins by computing:

A1 = e(C1, D1)e(C2, D2)e(C3, D3)e(C4, D4)e(C5, D5)

= e(g, g)αa1bs2_e₍_{v, g}₎bsd_e₍_v

1, g)a1bs1de(v2, g)a2bs2d.

Next, the algorithm computes:

A2 = e(C6, D6)e(C7, D7)

= e(v, g)bsde(v1, g)a1bs1de(v2, g)a2bs2de(g, w)−d1t.

Now,

A3 =A1/A2=e(g, g)αa1bs2e(g, w)d1t,

so if we separately computee(g, w)d1t_{, we can cancel this term and compute the blinding factor}

and hence recover the message. We computee(g, w)d1t _{as follows:}

A4 =

r Y

i=1

e(Ci,1, K)

e(Ci,2, D7)

_ID₋1

IDi

= r Y

i=1

e(g, w)d1ti(ID−IDi)

_ID₋1

IDi

= r Y

i=1

e(g, w)d1ti ₌_e₍_{g, w}₎d1t_.

Thus, the message can be computed as:

(11)

Identity-Based Version We can remove the parameternand the restriction that identities are between 1 andn and allow identities to be in Zp. The resulting construction is selectively secure, but can also be seen as adaptively secure by a complexity leveraging argument, where one accepts degradation of security depending on the size of the identity space. Essentially, our hybrid proof of security requires the simulator to guess the identity of a single key query when it is making the public parameters. When the identity space is polynomial (e.g. 1 to n), this can be correctly guessed with non-negligible probability. When the identity space is exponential (e.g. Zp), we can achieve selective security by removing the guess (now the simulatorknows the queried identities before it has to provide the public parameters) or retain adaptive security by accepting the exponentially small success probability.

5 Security

We will prove the following theorem.

Theorem 3. If the decisional Linear and decisional BDH assumptions hold, then our revocation system above is adaptively secure.

To prove this, we first define semi-functional keys and ciphertexts. These are not used in the real system, but they will be used in our proof of security. These objects have the following functionality: a semi-functional key can decrypt a normal ciphertext and a normal key can decrypt a semi-functional ciphertext. However, a semi-functional key cannot decrypt a semi-functional ciphertext. We define these as in the Waters IBE system:

Semi-Functional Ciphertexts We generate a semi-functional ciphertext by first running the encryption algorithm to produce a normal ciphertext for messageM and set S:

C₀0, C₁0, C₂0, C₃0, C₄0, C₅0, C₆0, C₇0, C_i,0₁, C_i,0₂∀i∈S.

Then we set C1 = C10, C2 = C20, C3 = C30, Ci,1 = Ci,01, Ci,2 = Ci,02∀i ∈ S (these values are left

unchanged). We choose a random x∈Zp, and set the rest of the ciphertext as:

C4 =C40 ·gba2x, C5=C50 ·ga2x, C6 =C60 ·va22x, C7 =C

0

7·va22bx.

Semi-Functional Keys We generate a semi-functional key by first running the key generation algorithm to produce a normal private key for identityID:

D₁0, D₂0, D₃0, D₄0, D₅0, D0₆, D0₇, K0.

Then we set D3 =D03, D5=D50, D6 =D06, D7 =D07, K =K0 (these values are left unchanged).

We choose a random γ ∈Zp. We set the rest of the key as:

D1=D10 ·g

−a1a2γ_{, D}

2 =D20 ·ga2γ, D4=D04·ga1γ.

We will prove selective security of our system under the decisional Linear and d-BDH as-sumptions through a hybrid argument. We use the following sequence of games.

GameReal: This denotes the real security game. We let GameRealAdvA denote the advantage of an algorithm Ain the real security game.

(12)

Gamek: In this game, the ciphertext is semi-functional, and the keys given out for the first

k key queries are semi-functional, while the rest of the keys are normal. For an adversary that submits a revocation set S of sizer, we will let k range from 0 to r. Note that in Gamer, the ciphertext and all the keys are semi-functional.

GameF inal: This is the same as Gamer, except that the ciphertext is a semi-functional en-cryption of a random message instead ofMb.

We show these games are indistinguishable in the following lemmas (the proofs can be found in Appendix C).

Lemma 4. Suppose there exists an algorithm A such that GameRealAdvA−Game0AdvA =.

Then we can build an algorithm B with advantage in the decision Linear game.

Lemma 5. Suppose there exists an algorithm A that submits a revoked set of r users and

Gamek−1AdvA−GamekAdvA =for some k with1≤k≤r. Then we can build an algorithm

B with advantage _n in the decision Linear game.

GamerAdvA−GameF inalAdvA=. Then we can build an algorithm B with advantagein the

decision BDH game.

6 Attribute-Based Encryption

Our simple revocation scheme also gives rise to a new efficient Attribute-Based Encryption (ABE) scheme that allows access policies to be expressed in terms of any access formula over attributes. Until the recent work of Ostrovsky, Sahai, and Waters [35], all previous ABE schemes were limited to expressing only monotonic access structures. Our new ABE scheme, however, achieves significantly superior parameters in terms of key size. In the random oracle model, our new scheme will have the following key sizes: public parameters will be only O(1) group elements, and private keys for access structures involving tleaf attributes will be of size O(t). This is a significant improvement over previous work, which needed public parameters consisting ofO(n) group elements, and private keys consisting of O(tlog(n)) group elements, wherenis a bound on the maximum number of attributes that any ciphertext could have. In our scheme, we do not need any such bound.

For brevity, we only describe at a high level what makes our revocation scheme so amenable to incorporation into ABE schemes. The essential property of our revocation scheme is that successful decryption (if a non-revoked user tries to decrypt) allows the user to recovere(g, g)αs_, where α is a system parameter, while s is a random choice made at the time of encryption. This idea can be applied with α replaced by a linear secret share of α that corresponds to a negated leaf node in an access formula. By the properties of linear secret sharing schemes, and the randomization provided by s, this allows for a secure ABE system to be built using our revocation scheme as a building block.

Taken altogether, our revocation scheme gives a new and much more efficient instantiation of the OSW framework for non-monotonic ABE. We now describe our construction. We refer the reader to [35] for definitions. Our proofs appear in Appendix D.

6.1 Description of ABE construction

(13)

Setup. The setup algorithm chooses generators g, h and picks random exponents α0, α00, b ∈

Zp. We defineα=α0·α00,g1 =gα

0

and g2=gα

00

.) The public parameters are published as the following, where H is a random oracle that outputs elements of the elliptic curve group:

PK = (g, gb, gb2, hb, e(g, g)α, H(·)).

The authority keeps (α0, α00, b) as the master key MK.

Encryption (M, γ,PK). To encrypt a messageM ∈_G_T under a set ofdattributes γ ⊂_Z∗_p, choose a random value s ∈ _Z_p, and choose a random set of d values {sx}x∈γ such that s = P

x∈γsx. Output the ciphertext as

E = (γ, E(1) =M e(g, g)α·s, E(2)=gs,{E_x(3) =H(x)s}x∈γ,

{E_x(4) =gb·sx_}

x∈γ,{Ex(5) =gb

2_·_s

xx_hb·sx_}

x∈γ)

Key Generation ( Ã,MK,PK). This algorithm outputs a key that enables the user to decrypt an encrypted messageonly if the attributes of that ciphertext satisfy the access structure Ã. We require that the access structure ÃisN M(A) for some monotonic access structure A, (see [35] for a definition of theN M(·) operator) over a setP of attributes, associated with a linear secret-sharing scheme Π. First, we apply the linear secret-secret-sharing mechanism Π to obtain shares{λi} of the secret α0. We denote the party corresponding to the shareλi as ˘xi ∈ P, wherexi is the attribute underlying ˘xi. Note that ˘xi can be primed (negated) or unprimed (non negated). For each i, we also choose a random value ri∈Zp.

The private key D will consist of the following group elements: For everyi such that ˘xi is not primed (i.e., is a non-negated attribute), we have

Di = (D(1)i =g λi

2 ·H(xi)ri, Di(2)=g ri₎

For every isuch that ˘xi is primed (i.e., is a negated attribute), we have

Di = (D(3)i =g λi

2 g

b2_r

i_{, D}(4)

i =g

ribxi_hri_{, D}(5)

i =g −ri₎

The keyD consists of Di for all sharesi.

Decryption (E, D). Given a ciphertext E and a decryption keyD, the following procedure is executed: (All notation here is taken from the above descriptions of E and D, unless the notation is introduced below.) First, the key holder checks if γ ∈_A˜ (we assume that this can be checked efficiently). If not, the output is ⊥. If γ ∈ _A˜, then we recall that ˜A = N M(A), where A is an access structure, over a set of parties P, for a linear secret sharing-scheme Π. Denoteγ0 =N(γ) ∈_A, and let I ={i: ˘xi ∈γ0}. Since γ0 is authorized, an efficient procedure associated with the linear secret-sharing scheme yields a set of coefficients Ω = {ωi}i∈I such thatP

i∈Iωiλi =α. (Note, however, that theseλi are not known to the decryption procedure, so neither isα.)

For every positive (non negated) attribute ˘xi ∈ γ0 (so xi ∈ γ), the decryption procedure computes the following:

Zi = e

D(1)_i , E(2)

/e

D(2)_i , E_i(3)

= egλi

2 ·H(xi)ri, gs

/e(gri_{, H}₍_x₎s₎

(14)

For every negated attribute ˘xi ∈ γ0 (so xi ∈/ γ), the decryption procedure computes the following, following a simple analogy to the basic revocation scheme:

Zi =

eD_i(3), E(2)

e

D(4)_i ,Q x∈γ

Ex(4)

1/(xi−x)

·e

D(5)_i ,Q x∈γ

Ex(5)

1/(xi−x)

= e(g, g2)sλi

Finally, the decryption is obtained by computing

E(1)

Q i∈IZ

ωi

i

= M e(g, g) sα

e(g, g2)sα

0 =M

Note on Efficiency and Use of Random Oracle Model. We note that encryption

re-quires only a single pairing, which may be pre-computed, regardless of the number of attributes associated with a ciphertext. We also note that decryption requires two or three pairings per share utilized in decryption, depending on whether the share corresponds to a non-negated attribute or a negated attribute, respectively.

We also note that we use a random oracle for description simplicity and efficiency of the system. We can, alternatively, realize our hash function concretely as in other previous ABE systems [37, 25, 35].

References

[1] Sattam S. Al-Riyami, John Malone-Lee, and Nigel P. Smart. Escrow-free encryption sup-porting cryptographic workflow. Int. J. Inf. Sec., 5(4):217–229, 2006.

[2] H. Anton and C. Rorres. Elementary Linear Algebra, 9th Edition. 2005.

[3] Walid Bagga, Refik Molva, and Stefano Crosta. Policy-based encryption schemes from bilinear pairings. In ASIACCS, page 368, 2006.

[4] Manuel Barbosa and Pooya Farshim. Secure cryptographic workflow in the standard model. InINDOCRYPT, pages 379–393, 2006.

[5] A. Beimel. Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.

[6] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based en-cryption. InProceedings of the IEEE Symposium on Security and Privacy, 2007.

[7] D. Boneh and M. Franklin. Identity Based Encryption from the Weil Pairing. InAdvances in Cryptology – CRYPTO, volume 2139 ofLNCS, pages 213–229. Springer, 2001.

[8] Dan Boneh and Xavier Boyen. Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. InAdvances in Cryptology – Eurocrypt, volume 3027 of LNCS, pages 223–238. Springer, 2004.

(15)

[10] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. InCRYPTO, pages 258–275, 2005.

[11] Robert W. Bradshaw, Jason E. Holt, and Kent E. Seamons. Concealing complex policies with hidden credentials. InACM Conference on Computer and Communications Security, pages 146–157, 2004.

[12] Jan Camenisch, Susan Hohenberger, and Anna Lysyanskaya. Compact e-cash. In EURO-CRYPT, pages 302–321, 2005.

[13] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas. Multicast security: A taxonomy and some efficient constructions. InProc. IEEE INFOCOM 1999, volume 2, pages 708–716. IEEE, 1999.

[14] R. Canetti, S. Halevi, and J. Katz. A Forward-Secure Public-Key Encryption Scheme. In Advances in Cryptology – Eurocrypt, volume 2656 ofLNCS. Springer, 2003.

[15] R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryp-tion. InProc. of Eurocrypt 2004, volume 3027 of LNCS, pages 207–222. Springer-Verlag, 2004.

[16] R. Canetti, T. Malkin, and K. Nissim. Efficient communication-storage tradeoffs for mul-ticast encryption. InProc. of Eurocrypt 1999, pages 459–474. Springer-Verlag, 1999.

[17] Melissa Chase. Multi-authority attribute-based encryption. InThe Fourth Theory of Cryp-tography Conference (TCC 2007), 2007.

[18] C´ecile Delerabl´ee, Pascal Paillier, and David Pointcheval. Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. InPairing, pages 39–59, 2007.

[19] Yevgeniy Dodis and Nelly Fazio. Public key broadcast encryption for stateless receivers. InDigital Rights Management Workshop, pages 61–80, 2002.

[20] A. Fiat and M. Naor. Broadcast encryption. InProc. of Crypto 1993, volume 773 ofLNCS, pages 480–491. Springer-Verlag, 1993.

[21] E. Gafni, J. Staddon, and Y.L. Yin. Efficient methods for integrating traceability and broadcast encryption. In Proc. of Crypto 1999, volume 1666 of LNCS, pages 372–387. Springer-Verlag, 1999.

[22] J. Garay, J. Staddon, and A. Wool. Long-lived broadcast encryption. In Proc. of Crypto 2000, volume 1880 ofLNCS, pages 333–352. Springer-Verlag, 2000.

[23] C. Gentry and B. Waters. Adaptive security in broadcast encryption systems. InAdvances in Cryptology - EUROCRYPT 2009, volume 5479 ofLNCS, pages 171–188. Springer-Verlag, 2009.

[24] M.T. Goodrich, J.Z. Sun, and R. Tamassia. Efficient tree-based revocation in groups of low-state devices. InProc. of Crypto 2004, volume 3152 ofLNCS, pages 511–527. Springer-Verlag, 2004.

(16)

[26] Vipul Goyal, Abishek Jain, Omkant Pandey, and Amit Sahai. Bounded ciphertext policy attribute-based encryption. In ICALP, 2008.

[27] D. Halevy and A. Shamir. The LSD Broadcast Encryption Scheme. InAdvances in Cryp-tology – CRYPTO, volume 2442 ofLNCS, pages 47–60. Springer, 2002.

[28] A. Joux. A one round protocol for tripartite Diffie-Hellman. InProc. of ANTS IV, volume 1838 ofLNCS, pages 385–94. Springer-Verlag, 2000.

[29] A. Joux and K. Nguyen. Separating decision Diffie-Hellman from Diffie-Hellman in crypto-graphic groups. J. of Cryptology, 16(4):239–247, 2003. Early version in Cryptology ePrint Archive, Report 2001/003.

[30] Ravi Kumar, Sridhar Rajagopalan, and Amit Sahai. Coding constructions for blacklisting problems without computational assumptions. InCRYPTO, pages 609–623, 1999.

[31] Kaoru Kurosawa and Yvo Desmedt. Optimum traitor tracing and asymmetric schemes. In EUROCRYPT, pages 145–157, 1998.

[32] Gerome Miklau and Dan Suciu. Controlling access to published data using cryptography. InVLDB, pages 898–909, 2003.

[33] D. Naor, M. Naor, and J. Lotspiech. Revocation and tracing schemes for stateless receivers. InProc. of Crypto 2001, volume 2139 of LNCS, pages 41–62. Springer-Verlag, 2001.

[34] M. Naor and B. Pinkas. Efficient trace and revoke schemes. InProc. of Financial cryptog-raphy 2000, volume 1962 ofLNCS, pages 1–20. Springer-Verlag, 2000.

[35] Rafail Ostrovksy, Amit Sahai, and Brent Waters. Attribute Based Encryption with Non-Monotonic Access Structures. In ACM conference on Computer and Communications Security (ACM CCS), 2007.

[36] V.V. Prasolov.Problems and Theorems in Linear Algebra. American Mathematical Society, 1994.

[37] A. Sahai and B. Waters. Fuzzy Identity Based Encryption. In Advances in Cryptology – Eurocrypt, volume 3494 ofLNCS, pages 457–473. Springer, 2005.

[38] Claus-Peter Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3), 1991.

[39] A.T. Sherman and D.A. McGrew. Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng., 29(5):444–458, 2003.

[40] Nigel P. Smart. Access control using pairing based cryptography. In CT-RSA, pages 111–121, 2003.

[41] D.R. Stinson. On some methods for unconditionally secure key distribution and broadcast encryption. Des. Codes Cryptography, 12(3):215–243, 1997.

[42] D.R. Stinson and T.V. Trung. Some new results on key distribution patterns and broadcast encryption. Des. Codes Cryptography, 14(3):261–279, 1998.

(17)

[44] D.M. Wallner, E.J. Harder, and R.C. Agee. Key management for multicast: Issues and architectures. IETF draft wallner-key, 1997.

[45] B. Waters. Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions. In Proc. of Crypto 2009, volume 5677 of LNCS, pages 619–636. Springer-Verlag, 2009.

[46] C.K. Wong, M. Gouda, and S. Lam. Secure group communications using key graphs. In Proc. of SIGCOMM 1998, 1998.

[47] E. Yoo, N. Jho, J. Cheon, and M. Kim. Efficient broadcast encryption using multiple interpolation methods. In Proc. of ICISC 2004, volume 3506 of LNCS, pages 87–103. Springer-Verlag, 2005.

A

Background on Bilinear Maps and our Complexity

Assump-tions

A.1 Bilinear Maps

We briefly review the necessary facts about bilinear maps and bilinear map groups. We use the following standard notation [28, 29, 7]:

1. Gand GT are two (multiplicative) cyclic groups of prime order p; 2. g is a generator ofG.

3. e:G×G→GT is a bilinear map.

Let Gand GT be two groups as above. A bilinear map is a map e:G×G→GT with the following properties:

1. Bilinear: for all u, v∈_Gand a, b∈_Z, we have e(ua, vb) =e(u, v)ab. 2. Non-degenerate: e(g, g)6= 1.

We say that Gis a bilinear group if the group action inG can be computed efficiently and there exists a group GT and an efficiently computable bilinear map e:G×G→GT as above. Note thate(,) is symmetric sincee(ga, gb) =e(g, g)ab=e(gb, ga).

A.2 Complexity Assumptions

Decisional Bilinear Diffie-Hellman Assumption The decisional Bilinear Diffie-Hellman problem is defined as follows. We choose a group G of prime order p. We choose a random generator g ofGand random exponents c1, c2, c3 ∈Zp. If the attacker is given

~

y ={g, gc1_{, g}c2_{, g}c3_}_,

it must remain hard to distinguish e(g, g)c1c2c3 _∈

GT from a random element of GT.

An algorithm B that outputsz∈ {0,1} has advantagein solving decisional BDH in Gif

PrB ~y, T =e(g, g)c1c2c3_{= 0}₋_Pr_B _~_{y, T} ₌_R_{= 0}

≥

(18)

Decisional Linear Assumption The decisional Linear problem is defined as follows. We choose a group G of prime order p. We choose random generators g, f, ν of G and random exponents c1, c2 ∈Zp. If the attacker is given

~

y=g, f, ν, gc1_{, f}c2_,

it must remain hard to distinguish νc1+c2 _{from a random element of}

G.

An algorithm B that outputs z ∈ {0,1} has advantage in solving the decisional Linear problem in Gif

PrB ~y, T =νc1 ₊_c 2

= 0−PrB ~y, T =R= 0

≥.

Definition 8. We say the decisional Linear assumption holds if no poly-time algorithm has a non-negligible advantage in solving the decisional Linear problem.

q-Decisional Multi-Exponent Bilinear Diffie-Hellman Assumption To prove the secu-rity of our simple system we use a new assumption that we call theq-decisional Multi-Exponent Bilinear Diffie-Hellman assumption. Our assumption falls within a class of assumptions shown to be secure in the generic group model by Boneh, Boyen, and Goh [9]. While our assumption is non-standard, we emphasize that it is non-interactive and thus falsifiable.

LetGbe a bilinear group of prime orderp. Theq-MEBDH problem inGis stated as follows: A challenger picks a generator g ∈_G and random exponents s, α, a1, . . . , aq. The attacker is then given~y=

g, gs, e(g, g)α

∀1≤i,j≤q gai gais gaiaj gα/a

2

i

∀₁≤i,j,k≤q,i6=j gaiajs gαaj/a

2

i gαaiaj/a2k gαa

2

i/a2j_,

it must remain hard to distinguish e(g, g)α·s_∈

GT from a random element in GT.

An algorithm B that outputs z ∈ {0,1} has advantage in solving decisional q-parallel BDHE inGif

PrB ~y, T =e(g, g)αs= 0−PrB ~y, T =R= 0

≥.

Definition 9. We say that theq-decisional Multi-Exponent Bilinear Diffie-Hellman assumption holds if no poly-time algorithm has non-negligible advantage in solving the q-MEBDH problem.

Remark. It is tempting to try to simplify our assumption using previous techniques. For example, we might consider choosing a single variableaand substituting allaj withaj. Unfor-tunately, this substitution gives rise to an problem that is insecure.

B

Security of our Simple Revocation System

B.1 Generic Security of Multi-Exponent BDH

(19)

Using the terminology from BBG we need to show that f = αs in independent of the polynomialsP and Q. We have thatQ={1, α} In addition, we have

P = {1, s, ∀_i,j_∈_[1_,q_] ai, ais, aiaj, α/(ai)2}

∪ {∀_i,j,k_∈_[1_,q_]_,i₆₌_j aiajs, αaj/a2i, αaiaj/a2k, αa2i/a2j}

We first note that this case at first might appear to be outside the BBG framework, since the polynomials are rational function (due to the terms with inverses. However, by a simple renaming of terms we can see this is equivalent to an assumption where we use a generator u

and letg=g

Q

j∈[1,q]a2j_{. Applying this substitution we get a set of polynomials where maximum}

degree of any polynomial in the set P is 2q+ 3.

We need to also check that f is symbolically independent of the of any two polynomials in P, Q. To realize f from P, Q we would need to have a term of the formαs. We note that no such terms can be realized from the product of two polynomials p, p0 ∈ P. If we use the polynomialsasp then no other potentialp0 hasα. If we use ai·sasp then no other potential

p0 has α/ai. Finally, if we use aiajswith i6= j for p then no other potential p0 is of the form

α/(aiaj) fori6=j. Any dependence onf must have an a term ofsin it, but we just eliminated all possibilities.

It follows from the BBG framework that the assumption is then generically secure. In particular, for an attacker that makes at most n queries to the group oracle we have that its advantage is bounded by

(n+ 2(q3+ 4q2+ 3q) + 2)2·(4q+ 6) 2p

In the general case wheren > q3 we have that the advantage isO(n2·q/p).

B.2 Proof of Security for Simple Revocation System

We now prove the following theorem.

Theorem 2. Suppose the decisionalq-MEBDH assumption holds. Then no poly-time adversary can selectively break our simple revocation system with a ciphertext encrypted to r∗≤q revoked users.

Suppose we have an adversary A with non-negligible advantage =AdvA in the selective security game against our construction. Moreover, suppose attacks our system with a ciphertext of at most q revoked users. We show how to build a simulator, B, that plays the decisional

q-MEBDH problem.

The simulator begins by receiving aq-MEDDH challengeX, T~ . The simulator then proceeds in the game as follows.

Init The adversaryAdeclares a revocation setS∗= ID1, . . . ,IDr∗ of sizer∗ ≤q that he gives to the simulator. (If r < q the simulator will just ignore some of the terms given inX~).

Setup The simulator now creates the public key PK and gives A the private keys for all identities in S∗. Conceptually, it will set b as a1 +a2 +· · ·ar. The simulator first chooses a

(20)

The public key P K is published as:

g, gb = Y

1≤i≤r∗

gai_, _gb2 ₌ Y

1≤i,j≤r

(gai·aj₎_, _h₌ Y

1≤i≤r∗

(gai₎−IDi_gy_, _e₍_{g, g}₎α

We observe that the public parameters are distributed identically to the real system and that the revocation set S∗ is reflected in the simulation’s construction of the parameter h.

Now the simulator must construct all private keys in the revocation setS. For each identity IDi the simulator will choose a random zi ∈Zp and will (implicitly) set the randomness ti of theith identity asti =−α/a2i +zi.

Setting ti allows us to generate the private key components for two reasons. First, in the

D0 component we need to cancel out the gα term that we do not know. Since gb 2

contains a term of ga2i raising it to the −α/a2

i will cancel this term. Second, we need to make sure that we can still realize the D2 component. To generate this we will have several terms of the form

gαaj/a2i, which we have for i6=j. Yet, ifi=j this generates a term gα/ai _{that we do not have.}

However, by our setting of the h parameter a term like this will never appear. The private key for IDi is generated as follows:

D0 =



  

Y

1≤j,k≤n

s.t. ifj=kthenj,k6=i

(g−αajak/a2i₎



  

Y

1≤j,k≤n

(gajak₎zi

D1 =



  

Y

1≤j≤n j6=i

(g−α·aj/a2i₎(IDi−IDj)₍_g(IDi−IDj)·aj₎zi



  

(g−α/a2i₎y_gyzi

D2 =gα/a 2

i_g−zi

Remark. Note that in the above construction, for any fixed coefficient µ, by changing ti =

−µα/a2_i+zi, and appropriately raising the relevant parts of the construction above to aµfactor, one can create D0 =gµα+b

2_t

i_{, while keeping} _D

1 = (gbIDih)ti, andD2 =g−ti. This observation

is not relevant to this proof, but will be useful in the proof of our related ABE scheme.

Challenge The simulator receives M0, M1 and chooses random β ∈ {0,1}. The simulator

then chooses random s0, s0₁, . . . , s0_r∗ ∈ _Z_p such that s0 = P_is0_i. For notational convenience let

ui =gb

2_ID

i_hb_{, note this is computable from the public parameters, which were already set.}

Conceptually, the ciphertext will be encrypted under randomness ˜s=s+s0 and be broken into shares ˜si =ais/b+s0i. Recall, that b=

P

jaj; therefore, P

˜

si = ˜s.

Our methodology is to splitsinto pieces such that we can simulate all ciphertext components. Conceptually, we will look for a “hole” in each term. We will use the fact that from the simulator’s view the function gbIDi_h _{has no term of} _gai _{by cancelation. Therefore, if we raise}

this to s·ai the simulator will have all the necessary terms. In this manner we “spread” the different shares of sass·ai/b, each into its own “slot”.

Our proof technique has two important points. First, in simulating theCi,1andCi,2

compo-nents the b−1 term from the shares will cancel out. Second, in generating the Ci,2 components

we will need elements of the form gsaiaj _{that we have for} _i ₆₌_j_{. Yet, if} _i ₌_j _{this creates an}

(21)

The challenge CT is created as

C0 =T e(g, g)αs0·Mβ C0 =gsgs

0

Ci,1=gsai(

Y

j

gaj₎s0i C_i,₂=



  

Y

1≤j≤r∗ i6=j

(gsaiaj₎IDi−IDj



  

(gais₎y_us

0

i

The Ci,2 equation can be understood by recalling that Ci,2 = (gbIDih)b˜si and then noting that

bs˜i=sai+s0_i.

Guess The adversary will eventually output a guessβ0 ofβ. The simulator then outputs 0 to guesses that T =e(g, g)αs if β =β0; otherwise, it and outputs 1 to indicate that it believes T

is a random group element inGT.

When T is a tuple the simulator B gives a perfect simulation so we have that

PrhBX, T~ =e(g, g)αs= 0i= 1

2+ AdvA.

When T is a random group element the message Mβ is completely hidden from the adversary and we have Pr

h

BX, T~ =R

= 0

i

= 1₂. Therefore,Bcan play the decisionalq-MEBDH game with non-negligible advantage.

B.3 Remark on Security Parameters

Our system is shown to be secure under a new non-interactive assumption. Our proof, in the standard model, shows that a ciphertext that revokes up to r users is secure if the decisional r-MEBDH assumption holds. We remark that generically, an adversary that makes n queries to a group oracle will have advantage O(n2r/p) (see Appendix B.1 for a group of prime order

p. Equivalent generic security to decisional Bilinear Diffie-Hellman can then be realized by increasing the size ofp by just an additive factor of lg(r) bits.

C

Proof of Security for our Second Revocation System

Lemma 4. Suppose there exists an algorithm A such that GameRealAdvA−Game0AdvA =.

Then we can build an algorithm B with advantage in the decision Linear game.

Proof. (This proof is essentially the same as the proof of Lemma 1 in [45], but we include it for completeness.) Bfirst receives an instance of the decisional Linear problem: (G, g, f, ν, gc1_{, f}c2_{, T}_). B must decide whetherT =νc1+c2 _{or is random. To accomplish this,} _B_{will call on}_A _by

simu-lating either GameReal or Game0. A first sends a setS ={ID1, . . . , IDr}toB.

Setup B chooses random exponents b, α, yv, yv1, yv2 ∈Zp and random group elementsw, h∈

G. It then sets g =g, ga1 ₌_{f, g}a2 ₌_{ν, w} ₌_{w, h} ₌_h_{. Note that} _B _{does not know the values}

a1, a2. It also sets:

gb, gba1 ₌_fb_{, g}ba2 ₌_νb_{, v}₌_gyv_{, v}

1=gyv1, v2=gyv2.

Balso computesτ1, τ2, τ1b, τ2b, e(g, g)αa1b=e(g, f)αb. Note thatτ1(for example) can be computed

asτ1 =vva11 =vfyv1. B sends the public parameters to A.

Key Generation Bonly needs to produce normal keys forIDifor allIDi ∈S. It can produce these through the usual key generation algorithm since it knows M SK={g, ga1_{, α, v, v}

(22)

Challenge Ciphertext Once B has given A the public parameters and the keys for all elements of S = {ID1, . . . , IDr}, A sends B two messages M0, M1. B chooses a random

value β ∈ {0,1} and will create a semi-functional ciphertext for Mβ, S as follows. First, B chooses random exponents, s0₁, s0₂, t1, . . . , tr, and uses the normal encryption algorithm to pro-duce C₀0, C₁0, . . . , C₇0, C₁0_,₁, C₁0_,₂, . . . , C_r,0₁, C_r,0₂. It leaves the terms Ci,1 = Ci,01, Ci,2 = Ci,02

un-changed forifrom 1 to r. The rest of the terms are set as:

C0=C00 (e(gc1, f)e(g, fc2))

bα

, C1 =C10(gc1)b, C2=C20(fc2)

−b_{, C}

3 =C30(fc2)

−1_{, C}

4 =C40(T)b,

C5=C50T, C6 =C60(gc1)yv(fc2)

−yv₁_Tyv₂_{, C}

7 =C70 (gc1)yv(fc2)

−yv₁_Tyv₂b_.

If T =νc1+c2_{, this will be a normal ciphertext with} _s

1 = −c2+s01, s2 =c1+c2+s02, and

s=s1+s2 =c1+s01+s02. IfT is random, this will be a properly distributed semi-functional

ciphertext. Thus, B can use A’s output to obtain the same advantage in distinguishing T =

νc1+c2 _{from random that}_A_{has in distinguishing GameReal} _{from Game} 0.

Gamek−1AdvA−GamekAdvA =for some k with1≤k≤r. Then we can build an algorithm

B with advantage _n in the decision Linear game.

Proof. B first receives an instance of the decisional Linear problem: (G, g, f, ν, gc1_{, f}c2_{, T}_). _B

must decide whetherT =νc1+c2 _{or is random. To accomplish this,}_B_{will call on}_A_{by simulating}

either Gamek or Gamek−1. Brandomly guesses a valueIDk∈ {1,2, . . . , n}for thekth key that

A will query.

Setup B chooses random exponents α, a1, a2, yv1, yv2, yw, yh ∈Zp and sets the public

param-eters by computing:

gb =f, ga1_{, g}a2_{, g}ba1 ₌_fa1_{, g}ba2 ₌_fa2_{, v}₌_ν−a1a2_{, v}

1 =νa2gyv1, v2 =νa1gyv2,

e(g, g)αa1b₌_e₍_{f, g}₎αa1_{, τ}

1=vv1a1, τ2=vv2a2, τ1b =fyv1a1, τ2b =fyv2a2, w=f gyw, h=w

−IDkgyh_.

We note that the distribution of these public parameters does not depend on the guessIDk, sinceyh is randomly chosen. With probability 1_n,Bhas correctly guessed thekthidentity/index thatA will query.

Key Generation To generate a normal key for IDj when j > k, the simulator B can run the usual key generation algorithm, since it knows the M SK. To generate a semi-functional key for IDj when j < k, the simulator can run the semi-functional key generation algorithm described above because it knows the exponentsa1 and a2. For IDk, the simulator will create

a key that is normal if T =νc1+c2 _{and is semi-functional if}_T _{is random.}

When the kth query is received, if it does not equal the guessed value IDk, the simulator quits. Otherwise, B continues. To generate the key forIDk,B starts by running the usual key generation algorithm to produce a normal key SKIDk: D

0

1, D20, . . . , D70, K0. We letd01, d02, z10, z20

denote the random exponents that were chosen. We then set:

D1 =D01T−a1a2, D2 =D02Ta2(gc1)yv1, D3 =D03(fc2)yv1, D4 =D04Ta1(gc1)yv2,

D5 =D50(fc2)yv2, D6 =D60fc2, D7=D07(gc1), K =K0(gc1)yh.

We note that we have implicitly setz1 =z10 −yv1c2 and z

0

2−yv2c2. IfT =ν

c1+c2_{, then this}

is a normal key with d1 = d01 +c1 and d2 = d02+c2. We can compute K because the wIDk

terms cancel: K = (wIDk_w−IDk_gyh₎d01+c1_{. If} _T _{is random, we can write} _T _as _T ₌ _νc1+c2_gγ

(23)

Challenge Ciphertext Once B has given A the public parameters and the queried keys,

A sends B two messages M0, M1 and the revoked set S, which must include all queried keys. B chooses a random value β ∈ {0,1} and will create a semi-functional ciphertext for Mβ, S as follows. First,Buses the normal encryption algorithm with randomly chosen exponentss0₁, s0₂, t0

to createC₀0, C₁0, . . . , C₇0. ThenC0 =C00, C1 =C10, C2=C20, C3 =C30 are left unchanged. To add

semi-functionality,B chooses a random exponent x∈Zp and sets:

C4=C40fa2x, C5 =C50ga2x, C6 =C60va22x, C7 =C

0

7fa2yv2xν−a1xywa2.

To create C7, we have implicitly setgt=gt

0

νa1xa2_{. We let}_y

ν denote the unknown discrete log of ν in baseg. Then, we have set t =t0+yνa1a2x, so t is not known to B, but t0 is. For

i6=k, 1≤i≤ r,B setsti to be a randomly chosen value. We let t00 denote the sum of these values. Then tk is defined to be t0−t00+yνa1a2x. For i6=k, the simulatorB knows the value

of ti, and so can compute:

Ci,1 =gti, Ci,2 = (wIDih)ti.

For i=k,B computes:

Ck,1 =gtk =gt

0₋_t00

νa1a2x_,

Ck,2 = (wIDkw−IDkgyh)yνa1a2x+t

0₋_t00

=νyha1a2x_gyh(t0−t00)_.

We note that the we could only form the semi-functional ciphertext becauseIDk∈S: otherwise we would not have been able to use the cancelation of wIDk _{to compute the ciphertext term}

corresponding to the unknown share. This is an essential feature of our argument: the simulator must not be able to test semi-functionality of keykfor itself by doing a test decryption on the semi-functional ciphertext it can create. In this case, such a test will fail because the created key k must always be for a revoked user who cannot decrypt, otherwise the semi-functional challenge ciphertext cannot be created.

In summary, when T = νc1+c2 _and _B _{has guessed correctly,} _B _{has properly simulated}

Gamek−1. When T is random and B has guessed correctly, B has properly simulated Gamek. Thus,Bcan useA’s output to obtain the same advantage in distinguishingT =νc1+c2 _from

ran-dom thatAhas in distinguishing Gamek−1 from Gamek, on condition that it guesses correctly.

Since this happens with probability _n1, its overall advantage is _n, where is the advantage of

A.

GamerAdvA−GameF inalAdvA=. Then we can build an algorithm B with advantagein the

decision BDH game.

Proof. (This proof is essentially the same as the proof of Lemma 3 in [45], but we include it for completeness.) B first receives an instance of the d-BDH problem: (g, gc1_{, g}c2_{, g}c3_{, T}_). _B

must decide whether T = e(g, g)c1c2c3 _{or is random. To accomplish this,} _B _{will call on} _A _by

simulating either Gamer or GameF inal. A first sends a set S={ID1, . . . , IDr} toB.

Setup Bchooses random exponents a1, b, yv, yv1, yv2, yw, yh ∈Zp. It sets:

g=g, gb, ga1_{, g}a2 ₌_gc2_{, g}ba1_{, g}ba2 _{= (}_gc2₎b_{, v}₌_gyv_{, v}

1=gyv1,

v2=gyv2, w=gyw, h=gyh, e(g, g)a1αb=e(gc1, gc2)a1b.

Note that this implicitly sets a2 to the unknown value c2 and α to the unknown valuec1c2. B

also computes τ1=vv1a1, τ1b, τ2 =v(gc2)yv2, τb

(24)

Key Generation Bmust now generate semi-functional keys forID1, . . . , IDr. For eachIDi,

B chooses random exponents d1, d2, z1, z2, γ0 ∈Zp and sets d=d1+d2. The key elements are

computed as:

D1 = (gc2)−γ

0_a

1_vd_{, D}

2= (gc2)γ

0

v₁dgz1_{, D}

3 = (gb)−z1, D4= (gc1)a1ga1γ

0

v₂dgz2_,

D5=g−bz2, D6 =gd2b, D7 =gd1, K = (wIDih)d1.

Challenge Ciphertext Once B has given A the public parameters and the keys for all elements ofS ={ID1, . . . , IDr}, A sends B two messages M0, M1. B chooses a random value

β ∈ {0,1} and will create either a semi-functional ciphertext for Mβ or a semi-functional encryption of a random message.

Bchooses random exponentss1, x0, t1, . . . , trand setst=t1+· · ·+tr. It forms the ciphertext as:

C0=MβTa1b, C1 =gs1b(gc3)b, C2 =gba1s1, C3 =ga1s1, C4 = (gc2)x

0_b

, C5= (gc2)x

0

,

C6=τ1s1(gc3)yv(gc2)yv2x

0

, C7 = (τ1b)s1(gc3)yvb(gc2)yv2x

0_b

w−t, C1,1=gt1, C1,2 = (wID1h)t1, . . . , Cr,1 =gtr, Cr,2= (wIDrh)tr.

These assignments implicitly set s2 =c3 and x=−c3+x0.

If T = e(g, g)c1c2c3_{, then this is a properly distributed semi-functional encryption of} _M_β.

If T is random, then this is a properly distributed semi-functional encryption of a random message. Thus, B can use A’s output to distinguish T = e(g, g)c1c2c3 _{from random with the}

same advantage that Ahas in distinguishing Gamer from GameF inal.

D

Proof of Security for ABE scheme

We prove that the security of our main construction in the attribute-based selective-set model reduces to the hardness of the q-MEBDH assumption.

Theorem 10. If an adversary can break our ABE scheme with advantage in the attribute-based selective-set model of security, then a simulator can be constructed to play theq-MEBDH game with advantage /2.

Proof. Our proof will follow the outline of, and include much of the text from, the proofs of previous ABE schemes [37, 25, 35], but will incorporate the ideas from our new revocation scheme. We note that our revocation scheme, which we will use to realize “negated” attributes in our ABE scheme, is based on theq-MEDDH assumption. The technique we use to deal with ordinary, non-negated attributes, is the same as [25], which was based on the BDDH assumption. To adapt that part to the q-MEDDH assumption, we note that the BDDH assumption is embedded (in many different ways) in the q-MEDDH assumption that we use. In the BDDH assumption, we are given A = g˜a, B = g˜b, gs and must distinguish e(g, g)a˜˜bs from a random element. We will implicitly set ˜a=α/a2

1, and ˜b=a21. Note that in the q-MEDDH assumption,

we are given A= g˜a _and _B ₌_g˜b _{for these settings of ˜}_a _{and ˜}_b_{. Below we will use} _A _and _B _to mean these values.

Suppose there exists a polynomial-time adversary A that can attack our scheme in the selective-set model with advantage . We build a simulator B that can play the q-MEDDH game with advantage/2. The simulation proceeds as follows: